Public bug reported:
After patch https://review.opendev.org/c/openstack/neutron/+/821208 was merged,
when scope enforcement and new default policies are used, project admin user
can have access and do almost everything related to the project's resources.
System admin can only access/modify system wide resources, like e.g. agents.
So basically there is no any "super user" who can access everything (which is
good as this is one of the goals of the whole community goal IIRC).
The problem is with external gateway ports which are intentionally not assigned
to any project thus aren't visible in the API even for PROJECT_ADMIN user.
I see 3 possible solutions for that:
1. We will somehow try to hardcode rule that for external_gateway ports
device_id owner will be checked (like it's e.g. with parent_id for some
resources) - I don't know how easy/hard it may be to do really but I think it's
worth to explore,
2. We will change external gateway ports and they will have owner, which will
be the same as owner of the router or
3. We will hard code something that for project admin users such external
gateway ports will be displayed - but that means that each project admin will
see external gateway ports used by all projects as all those ports don't belong
to any project.
** Affects: neutron
Importance: Medium
Assignee: Slawek Kaplonski (slaweq)
Status: Confirmed
** Tags: api
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1959332
Title:
With new secure RBAC external gateway ports can't be visible in the
API
Status in neutron:
Confirmed
Bug description:
After patch https://review.opendev.org/c/openstack/neutron/+/821208 was
merged, when scope enforcement and new default policies are used, project admin
user can have access and do almost everything related to the project's
resources.
System admin can only access/modify system wide resources, like e.g. agents.
So basically there is no any "super user" who can access everything (which is
good as this is one of the goals of the whole community goal IIRC).
The problem is with external gateway ports which are intentionally not
assigned to any project thus aren't visible in the API even for PROJECT_ADMIN
user.
I see 3 possible solutions for that:
1. We will somehow try to hardcode rule that for external_gateway ports
device_id owner will be checked (like it's e.g. with parent_id for some
resources) - I don't know how easy/hard it may be to do really but I think it's
worth to explore,
2. We will change external gateway ports and they will have owner, which will
be the same as owner of the router or
3. We will hard code something that for project admin users such external
gateway ports will be displayed - but that means that each project admin will
see external gateway ports used by all projects as all those ports don't belong
to any project.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1959332/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
